“The developer whose credentials were being used was sitting at his desk in the office,” Valentine wrote. “Plainly stated, the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor.”
The company initially suspected malware. Investigators went through a forensic image of the developer’s computer to look for signs of malicious software and found hundreds of .pdf invoices from a third-party developer in Shenyang.

“As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm,” Valentine explained. “Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him.”

So what did the developer do when he was sitting at his desk? According to his browsing history, a typical day involved surfing Reddit, watching cat videos, shopping on eBay, updating Facebook and LinkedIn and, at the end of the day, sending an update email to management.

“Evidence even suggested he had the same scam going across multiple companies in the area,” Valentine wrote.

All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.